General Information

Privilege Elevation via Session Puzzling

Variants:
Direct 

Also Known As:
Session Variable Overloading, Session Poisoning

Vector Type:
Attack

Relevance:
Generic

Layer:
Application-Level

Platforms:
Any

Target Type:
Application

Affected Mechanisms:
Session Management

Invented In:
01/05/2011

Added In:
04/12/2014


Vector Operation Method:
Malicious users can abuse hardcoded default session values or multiple components relying on identical session attributes to gain access to normally restricted locations in the application, via abnormal access sequences. Logical session puzzling attacks make use of forced browsing in customized sequences, hardcoded default session attributes, and in many cases, session poisoning.


Direct Variant:

Privilege Elevation via Session Puzzling

Variant Title:
Privilege Elevation via Session Puzzling

Typical Severity:
Major

Learn More: